Hi all,
I have a 2 gateway setup. I have my primary gateway on ether1 and a secondary gateway on ether2. The primary gateway on ether1 has a static IP address.
The router is connected to the ISP's DSL modem router. This connection is working. However, I am unable to connect by this gateway. I cannot see any error in the logs at least in the way they are currently configured. I had the ISP check their connection and it is working.
The secondary gateway however is working. This gateway has an IP address from a dhcp-server belonging to the ISP.
Is there something wrong with the way I have configured my router?
This configuration used to work. The only thing that I have done is to update routerOS regularly.
See below for the detailed router configuration.
Note:
I am trying to attach it to keep things clean.
Pranav
Primary gateway with static ip address not activating
You do not have the required permissions to view the files attached to this post.
Re: Primary gateway with static ip address not activating
Post the output of:
and of:
You seem to be using recursive for failover, and the behaviour has changed between 6.x and 7.x, you now need appropriate scope and target scope, check this post by anav:
viewtopic.php?t=216274
viewtopic.php?t=216274#p1138880
Code: Select all
/ip route printCode: Select all
/ip address printviewtopic.php?t=216274
viewtopic.php?t=216274#p1138880
Re: Primary gateway with static ip address not activating
Hi,
Here is the output.
Here is the output.
Code: Select all
[pranav@ConShield] > /ip route print
Flags: D - DYNAMIC; X - DISABLED, I - INACTIVE, A - ACTIVE; c - CONNECT, s - STATIC, d - DHCP
Columns: DST-ADDRESS, GATEWAY, DISTANCE
# DST-ADDRESS GATEWAY DISTANCE
0 Xs 0.0.0.0/0 122.176.152.1
1 As 0.0.0.0/0 122.176.152.1 1
D d 0.0.0.0/0 192.168.100.1 2
DAc 122.176.152.0/24 ether1 0
DAc 192.168.3.0/24 bridge 0
DAc 192.168.88.0/24 bridge 0
DAc 192.168.89.0/24 bridge 0
DAc 192.168.100.0/24 ether2 0
[
[pranav@ConShield] > /ip address print
Flags: X - DISABLED; D - DYNAMIC
Columns: ADDRESS, NETWORK, INTERFACE
# ADDRESS NETWORK INTERFACE
;;; defconf
0 192.168.88.1/24 192.168.88.0 bridge
;;; automation and cameras
1 192.168.89.1/24 192.168.89.0 bridge
2 192.168.3.1/24 192.168.3.0 bridge
;;; airtel
3 122.176.152.228/24 122.176.152.0 ether1
4 X 192.168.1.2/24 192.168.1.0 ether1
5 D 192.168.100.7/24 192.168.100.0 ether2
[
Re: Primary gateway with static ip address not activating
Not sure how pppoe works but for security purposes, would remove any username passwords and any public IP address associated from your config.
1. As to the config I didnt get past your IP addressess which are wrong.
You have ONE bridge, and one subnet and pool and address associated so not sure what you are trying to do with this......
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=192.168.89.1/24 comment="automation and cameras" interface=bridge \
network=192.168.89.0
add address=192.168.3.1/24 interface=bridge network=192.168.3.0
add address=122.176.152.228/24 comment=airtel interface=ether1 network=122.176.152.0
add address=192.168.1.2/24 disabled=yes interface=ether1 network=192.168.1.0 ????????????????????????????????????????
bridge should only have one address associated. if you need multiple subnets then use bridge for one address covering the applicable ports and use a separate subnet and address for each different port. OR use one bridge for all lan ports and use vlans to distribute the subnets as required.
If you have pppoe I dont think an address is appropriate
Similarly if you telll the pppoe to have default route then a manual IP route is not appropriate.
Suggest you do not apply a default route in pppoe if you want to do some recursive routing manually
1. As to the config I didnt get past your IP addressess which are wrong.
You have ONE bridge, and one subnet and pool and address associated so not sure what you are trying to do with this......
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=192.168.89.1/24 comment="automation and cameras" interface=bridge \
network=192.168.89.0
add address=192.168.3.1/24 interface=bridge network=192.168.3.0
add address=122.176.152.228/24 comment=airtel interface=ether1 network=122.176.152.0
add address=192.168.1.2/24 disabled=yes interface=ether1 network=192.168.1.0 ????????????????????????????????????????
bridge should only have one address associated. if you need multiple subnets then use bridge for one address covering the applicable ports and use a separate subnet and address for each different port. OR use one bridge for all lan ports and use vlans to distribute the subnets as required.
If you have pppoe I dont think an address is appropriate
Similarly if you telll the pppoe to have default route then a manual IP route is not appropriate.
Suggest you do not apply a default route in pppoe if you want to do some recursive routing manually
Last edited by anav on Thu Apr 24, 2025 7:00 pm, edited 1 time in total.
Re: Primary gateway with static ip address not activating
Ok, let's ignore the routes marked as DAc (Dynamic, Active, connect), they are automatically created by the settings in /ip address.
The three routes you have:
the second #1 is the route that can be taken (Active, static) and it is the same as the previous one with added a check gateway).
The third is "D d" a route coming from the DHCP server (Dynamic and d) which is not active (i.e. it is not DAd) because it has a greater distance (distance=2) than the route before (that has distance=1).
The second route goes through ether1.
The third route goes through a local gateway (likely your ISP's modem/router) and is obtained by the setting:
Both ether1 and ether2 are categorized as WAN, ok.
The firewall nat is confusing:
The three routes you have:
the first, #0 is disabled (X) so it is like it doesn't exist.0 Xs 0.0.0.0/0 122.176.152.1
1 As 0.0.0.0/0 122.176.152.1 1
D d 0.0.0.0/0 192.168.100.1 2
the second #1 is the route that can be taken (Active, static) and it is the same as the previous one with added a check gateway).
The third is "D d" a route coming from the DHCP server (Dynamic and d) which is not active (i.e. it is not DAd) because it has a greater distance (distance=2) than the route before (that has distance=1).
The second route goes through ether1.
The third route goes through a local gateway (likely your ISP's modem/router) and is obtained by the setting:
and it goes through ether2./ip dhcp-client
add default-route-distance=2 interface=ether2
Both ether1 and ether2 are categorized as WAN, ok.
The firewall nat is confusing:
So, what is connected to ether1 and ether2?/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN <- this should cover BOTH ether1 and ether2
add action=redirect chain=dstnat dst-port=53 protocol=udp to-addresses=\
192.168.88.1 to-ports=53
add action=src-nat chain=srcnat disabled=yes ipsec-policy=out,none \
out-interface=ether1 to-addresses=122.176.78.92 <- this is disabled
add action=masquerade chain=srcnat out-interface=ether1 <- this should be removed, as ether1 is part of WAN and first rule already covers that
Re: Primary gateway with static ip address not activating
Hi all,
So, this configuration has grown overtime. I no longer use pppoe and the user name and password have no meaning.
One thing I was told is that I could associate multiple network segments with a single interface which is why there are those multiple segments on the bridge.
Ether1 is the primary airtel gateway which has the static ip address. It has a modem from Airtel (my primary ISP) connected to it.
Ether 2 also has a ISP modem connected to it. That takes its address from dhcp. That is my secondary isp.
As for vlans, my understanding is that if I use vlans, I need to have a vlan aware switch. I do not have that. My only reason for having multiple segments is to take out devices that need static IP addresses like my NAS box and some cameras.
I know, I can use the make-static command to make a dhcp address perminant for a device. I have begun doing this now but the old configuration persists.
Here is what I have done so far.
1. Removed the pppoe client. It is not needed.
2. Disabled the third entry in /ip firewall nat
3. Added comments to the nat entries for ease of reference.
I have a recursive route set. Before the upgrade, I had no problem with this configuration.
I see from one of Anav's posts that I need to set scope, distance and target but do not know what to set those values too.
I am happy to clean up this configuration as well.
Pranav
So, this configuration has grown overtime. I no longer use pppoe and the user name and password have no meaning.
One thing I was told is that I could associate multiple network segments with a single interface which is why there are those multiple segments on the bridge.
Ether1 is the primary airtel gateway which has the static ip address. It has a modem from Airtel (my primary ISP) connected to it.
Ether 2 also has a ISP modem connected to it. That takes its address from dhcp. That is my secondary isp.
As for vlans, my understanding is that if I use vlans, I need to have a vlan aware switch. I do not have that. My only reason for having multiple segments is to take out devices that need static IP addresses like my NAS box and some cameras.
I know, I can use the make-static command to make a dhcp address perminant for a device. I have begun doing this now but the old configuration persists.
Here is what I have done so far.
1. Removed the pppoe client. It is not needed.
2. Disabled the third entry in /ip firewall nat
3. Added comments to the nat entries for ease of reference.
I have a recursive route set. Before the upgrade, I had no problem with this configuration.
I see from one of Anav's posts that I need to set scope, distance and target but do not know what to set those values too.
I am happy to clean up this configuration as well.
Pranav
Re: Primary gateway with static ip address not activating
Yes please, clean up the config, garbage is noise and noise makes it difficult to read a config OR to spot errors..........
Re: Primary gateway with static ip address not activating
Yep, but your LAN (the bridge) has three networks (192.168.3.0, 192.168.88.0 and 192.168.89.0, with the dhcp server on 192.168.88.1), the device connected to the ether2 must be a router (as the 192.168.100.1 is a private address), the device has a dhcp server and the MIkrotik gets the address for ether2 from it, as 192.168.100.2.
I am not sure to understand which kind of device is the airtel at 122.176.152.1 .
Anyway, can you ping from the hap Ac2 the 122.176.152.1?
And what happens with a traceroute to (say) 8.8.8.8?
I am not sure to understand which kind of device is the airtel at 122.176.152.1 .
Anyway, can you ping from the hap Ac2 the 122.176.152.1?
And what happens with a traceroute to (say) 8.8.8.8?
Re: Primary gateway with static ip address not activating
a diagram and revised cleaned up config may help us provide better assistance.
Re: Primary gateway with static ip address not activating
Hi all,
Many thanks for your advice and patience so far. I have done significant cleaning of the configuration. At one point, I did try defining a vlan but that failed so I have deleted the extra IP addresses and vlans away.
I have also cleaned things up considerably.
I am attaching the updated configuration file.
Also, see output of /ip root print and /ip address
Many thanks for your advice and patience so far. I have done significant cleaning of the configuration. At one point, I did try defining a vlan but that failed so I have deleted the extra IP addresses and vlans away.
I have also cleaned things up considerably.
I am attaching the updated configuration file.
Also, see output of /ip root print and /ip address
Code: Select all
[pranav@ConShield] /ip/route> print
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, s - STATIC, d - DHCP
Columns: DST-ADDRESS, GATEWAY, DISTANCE
# DST-ADDRESS GATEWAY DISTANCE
0 As 0.0.0.0/0 122.176.152.1 1
D d 0.0.0.0/0 192.168.100.1 2
DAc 122.176.152.0/24 ether1 0
DAc 192.168.88.0/24 bridge 0
DAc 192.168.89.0/24 vlan10 0
DAc 192.168.100.0/24 ether2 0
[Code: Select all
[pranav@ConShield] /ip/address> print
Flags: D - DYNAMIC
Columns: ADDRESS, NETWORK, INTERFACE
# ADDRESS NETWORK INTERFACE
;;; defconf
0 192.168.88.1/24 192.168.88.0 bridge
;;; airtel
1 122.176.152.228/24 122.176.152.0 ether1
2 192.168.89.1/24 192.168.89.0 vlan10
3 D 192.168.100.7/24 192.168.100.0 ether2
[
[code]You do not have the required permissions to view the files attached to this post.
Re: Primary gateway with static ip address not activating
This is a clue that the router is not happy with your config.......
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=*9 list=WAN
add interface=ether2 list=WAN
/ipv6 dhcp-client
add add-default-route=yes interface=*9 pool-name=delegation \
pool-prefix-length=56 request=address,prefix
Is this an IPV6 connection??
Something is wrong with your connection on ether1???
get rid of raw rules - garbage not required.
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=*9 list=WAN
add interface=ether2 list=WAN
/ipv6 dhcp-client
add add-default-route=yes interface=*9 pool-name=delegation \
pool-prefix-length=56 request=address,prefix
Is this an IPV6 connection??
Something is wrong with your connection on ether1???
get rid of raw rules - garbage not required.
Re: Primary gateway with static ip address not activating
Hi,
The connection on ether 1 is ip v4. I have deleted the ip v6 interface which was cluttering things up.
One of my ISPs was going to transition to ip v6 but that did not happen. I should have cleaned it out but did not.
I am attaching the latest configuration.
The connection on ether 1 is ip v4. I have deleted the ip v6 interface which was cluttering things up.
One of my ISPs was going to transition to ip v6 but that did not happen. I should have cleaned it out but did not.
I am attaching the latest configuration.
You do not have the required permissions to view the files attached to this post.
Re: Primary gateway with static ip address not activating
You didnt get rid of raw rules................
Re: Primary gateway with static ip address not activating
Hi @anav
I had added these raw rules in the belief that they will make the router less prone to attacks. Has that changed? Should I delete all the raw rules from 1 to 21?
I have also further simplified things where I have disabled the fail over completely. I am thinking it may be easier to add in the fail over from scratch. Here is the updated routing table.
Here is the result of
I had added these raw rules in the belief that they will make the router less prone to attacks. Has that changed? Should I delete all the raw rules from 1 to 21?
I have also further simplified things where I have disabled the fail over completely. I am thinking it may be easier to add in the fail over from scratch. Here is the updated routing table.
Code: Select all
[pranav@ConShield] /ip/route> print
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, s - STATIC
Columns: DST-ADDRESS, GATEWAY, DISTANCE
# DST-ADDRESS GATEWAY DISTANCE
0 As 0.0.0.0/0 122.176.152.1 1
DAc 122.176.152.0/24 ether1 0
DAc 192.168.88.0/24 bridge 0
DAc 192.168.100.0/24 ether2 0
[
Code: Select all
/ip address printCode: Select all
[pranav@ConShield] /ip> address print
Flags: D - DYNAMIC
Columns: ADDRESS, NETWORK, INTERFACE
# ADDRESS NETWORK INTERFACE
;;; defconf
0 192.168.88.1/24 192.168.88.0 bridge
;;; airtel
1 122.176.152.228/24 122.176.152.0 ether1
2 D 192.168.100.7/24 192.168.100.0 ether2
[
Re: Primary gateway with static ip address not activating
Check this post by anav where an example is given for recursive on 7.x:
viewtopic.php?t=216274#p1138880
As I see it, the "normal", "default" firewall is good enough in most cases, it can be tweaked and tuned, but the base is solid, using firewall raw should be needed only in exceptional cases, and it is easy to accidentally insert in it a restrictive rule that does more than what you expect, so - at least for testing - rules in firewall raw should be removed (and if the case only added later).
viewtopic.php?t=216274#p1138880
As I see it, the "normal", "default" firewall is good enough in most cases, it can be tweaked and tuned, but the base is solid, using firewall raw should be needed only in exceptional cases, and it is easy to accidentally insert in it a restrictive rule that does more than what you expect, so - at least for testing - rules in firewall raw should be removed (and if the case only added later).
Re: Primary gateway with static ip address not activating
Hi @jaclaz
I have read the post at viewtopic.php?t=216274#p1138880 several times but am not sure what applies to my situation. I have tried looking for documentation on targets and scopes and have found some answers but am still confused.
I understand up till the point where my default route via my primary gateway has to have a lesser distance value than that of the route from the secondary gateway.
I am however confused by scopes and targets. Still, here are the commands I plan to run.
Are these accurate for my situation?
I have read the post at viewtopic.php?t=216274#p1138880 several times but am not sure what applies to my situation. I have tried looking for documentation on targets and scopes and have found some answers but am still confused.
I understand up till the point where my default route via my primary gateway has to have a lesser distance value than that of the route from the secondary gateway.
I am however confused by scopes and targets. Still, here are the commands I plan to run.
Code: Select all
add dst-address=8.8.8.8/32 gateway=122.176.152.1 scope=10 comment="Primary check IP via ether1"
add dst-address=208.67.222.222/32 gateway=192.168.100.1 scope=10 comment="Secondary check IP via ether2"
add dst-address=0.0.0.0/0 gateway=8.8.8.8 distance=1 target-scope=10 check-gateway=ping comment="Primary default route"
add dst-address=0.0.0.0/0 gateway=208.67.222.222 distance=2 target-scope=10 check-gateway=ping comment="Secondary default route"
Re: Primary gateway with static ip address not activating
No, the target scope of the "main" route (through the canary address) should be +1 of the "narrow" route, and this latter +1 of scope, (and scopes can be all the same like 10), It may not be strictly speaking 100% correct, but it is easy to remember. i.e.:Are these accurate for my situation?Code: Select alladd dst-address=8.8.8.8/32 gateway=122.176.152.1 scope=10 comment="Primary check IP via ether1" add dst-address=208.67.222.222/32 gateway=192.168.100.1 scope=10 comment="Secondary check IP via ether2" add dst-address=0.0.0.0/0 gateway=8.8.8.8 distance=1 target-scope=10 check-gateway=ping comment="Primary default route" add dst-address=0.0.0.0/0 gateway=208.67.222.222 distance=2 target-scope=10 check-gateway=ping comment="Secondary default route"
See also this:add dst-address=0.0.0.0/0 gateway=8.8.8.8 distance=1 scope=10 target-scope=12 check-gateway=ping comment="Primary default route"
add dst-address=8.8.8.8/32 gateway=122.176.152.1 distance=1 scope=10 target-scope=11 comment="Primary check IP via ether1"
-----
add dst-address=0.0.0.0/0 gateway=208.67.222.222 distance=2 scope=10 target-scope=12 check-gateway=ping comment="Secondary default route"
add dst-address=208.67.222.222/32 gateway=192.168.100.1 distance=2 scope=10 target-scope=11 comment="Secondary check IP via ether2"
viewtopic.php?t=173227
BUT, at the end of the day if Primary fails, then Secondary should be enabled but what other (Tertiary) connection do you have?
If none the above can be simplified to:
The logic is that you check Primary, and if it fails then Secondary becomes active, but since you have no other way out, checking if Secondary is working is not needed as EITHER:add dst-address=0.0.0.0/0 gateway=8.8.8.8 distance=1 scope=10 target-scope=12 check-gateway=ping comment="Primary default route"
add dst-address=8.8.8.8/32 gateway=122.176.152.1 distance=1 scope=10 target-scope=11 comment="Primary check IP via ether1"
-----
add dst-address=0.0.0.0/0 gateway=192.168.100.1 distance=2 comment="Secondary default route"
1) it works and you have connection
OR:
2) it doesn't work and you don't have connection
checking if it has connection has no use as it doesn't really change anything, when (if) Primary resumes, Secondary will become non active, no matter if it has connection or not.
All this said, it is very easy to get confused when attempting to make a recursive set of routes with scopes, target scopes, canary addresses, and what not, JFYI, this method here with netwatch is much simpler:
viewtopic.php?t=198999
viewtopic.php?t=198999#p1102129
Re: Primary gateway with static ip address not activating
Hi @Jaklaz
Many thanks for your explanation. I think I understand recursive routes better and have implemented your simplified approach. However, I am considering the netwatch approach since I can get notifications. Here is my set of commands. Are they correct?
Many thanks for your explanation. I think I understand recursive routes better and have implemented your simplified approach. However, I am considering the netwatch approach since I can get notifications. Here is my set of commands. Are they correct?
Code: Select all
add dst-address=0.0.0.0/0 gateway=192.168.100.1 distance=1 comment="Secondary_failover"
add dst-address=0.0.0.0/0 gateway=122.176.152.1 distance=2 "route to primary gateway"
/ip routing table add name=FTH fib
/ip route add dst-address=0.0.0.0/0 gateway=122.176.152.1 routing-table=FTH
/ip firewall mangle add chain=output dst-address=8.8.8.8 protocol=icmp action=mark-routing new-routing-mark=FTH
/tool netwatch add host=8.8.8.8 type=icmp interval=30s timeout=5s \
down-script="/ip route enable [find comment=secondary-failover]" \
up-script="/ip route disable [find comment=secondary-failover]"
Re: Primary gateway with static ip address not activating
No, the target scope of the "main" route (through the canary address) should be +1 of the "narrow" route, and this latter +1 of scope, (and scopes can be all the same like 10), It may not be strictly speaking 100% correct, but it is easy to remember. i.e.:
Strictly speaking you can "set scope to 10 and forget" because in the background RouterOS silently increases the scope value of the route to become at least 1 more than the scope of the gateway https://help.mikrotik.com/docs/spaces/R ... thopLookup
So, if we want to be explicit, your example routes should be like this:
add dst-address=0.0.0.0/0 gateway=8.8.8.8 distance=1 scope=12 target-scope=11 check-gateway=ping comment="Primary default route"
add dst-address=8.8.8.8/32 gateway=122.176.152.1 distance=1 scope=11 target-scope=10 comment="Primary check IP via ether1"
-----
add dst-address=0.0.0.0/0 gateway=208.67.222.222 distance=2 scope=12 target-scope=11 check-gateway=ping comment="Secondary default route"
add dst-address=208.67.222.222/32 gateway=192.168.100.1 distance=2 scope=11 target-scope=10 comment="Secondary check IP via ether2"
The green target scope of 10 is enough because the routes for targets 192.168.100.1 and 122.176.152.1 are connected routes with default scope 10.
To be even more correct, we can give the two default routes, which are "static" routes, the default scope value 30:
add dst-address=0.0.0.0/0 gateway=8.8.8.8 distance=1 scope=30 target-scope=11 check-gateway=ping comment="Primary default route"
add dst-address=8.8.8.8/32 gateway=122.176.152.1 distance=1 scope=11 target-scope=10 comment="Primary check IP via ether1"
-----
add dst-address=0.0.0.0/0 gateway=208.67.222.222 distance=2 scope=30 target-scope=11 check-gateway=ping comment="Secondary default route"
add dst-address=208.67.222.222/32 gateway=192.168.100.1 distance=2 scope=11 target-scope=10 comment="Secondary check IP via ether2"
Re: Primary gateway with static ip address not activating
Hi,
In many/most cases with a static IP address, you should get it from the ISP using dhcp or pppoe.
Static meaning they always give you the same ip address, not that you set it up yourself.
When you request and get the IP address from them, they know the mac address they need to connect to.
It likely gets stored in their radius system.
In many/most cases with a static IP address, you should get it from the ISP using dhcp or pppoe.
Static meaning they always give you the same ip address, not that you set it up yourself.
When you request and get the IP address from them, they know the mac address they need to connect to.
It likely gets stored in their radius system.
Re: Primary gateway with static ip address not activating
@CGGXANNX
Yes, exactly
, that is why I say not 100% correct, the scope "always" 10, add one for target-scope 11 (+1) for the narrow route and add again one for target-scope 12 (+1) for the main route is only much simpler to remember, as long as it works, though of course the "proper" way is the one you explained.
@slimprize
Yes, those would be seemingly fine for the original (but more complex) "simple" approach by Filo, the "further simplified" one:
viewtopic.php?t=198999#p1102129
need not the added routing table and mangling.
A word of general warning, Dos/Windows are generally speaking case insensitive, Unix/Linux - again generally speaking - are instead case sensitive, so it is always a good idea (no idea if it matters in this case, pardon me the pun) to respect case, namely:
Yes, exactly
, that is why I say not 100% correct, the scope "always" 10, add one for target-scope 11 (+1) for the narrow route and add again one for target-scope 12 (+1) for the main route is only much simpler to remember, as long as it works, though of course the "proper" way is the one you explained.@slimprize
Yes, those would be seemingly fine for the original (but more complex) "simple" approach by Filo, the "further simplified" one:
viewtopic.php?t=198999#p1102129
need not the added routing table and mangling.
A word of general warning, Dos/Windows are generally speaking case insensitive, Unix/Linux - again generally speaking - are instead case sensitive, so it is always a good idea (no idea if it matters in this case, pardon me the pun) to respect case, namely:
may or may not be found by:add dst-address=0.0.0.0/0 gateway=192.168.100.1 distance=1 comment="Secondary_failover"
The "simpler" approach also uses dst-address and gateway as search parameter, this way you have not the issue (numbers are the same small or capital) but more than that you do not depend on the comment(s) of the route(s) (that three, six, or twelve months in the future you may decide to change without thinking that they are relevant for the failover).down-script="/ip route enable [find comment=secondary-failover]" \
up-script="/ip route disable [find comment=secondary-failover]"
Re: Primary gateway with static ip address not activating
Lets set the rules straight here!!!
TWO RULES OF THUMB (scope & target scope):
First Rule. The resolving route (DIRECT - connected route) with dst-address TO the "real WWW IP (dns site)" and with local ISP gateway IP, has Target-Scope=X and the recursive route (INDIRECT - external route) with gateway IP VIA the "real work WWW gateway IP (dns site)" has Target-Scope=X+1. In other words, the farther one gets from the router, the TS increases by one.
Second Rule. Between the same two routes being compared, the Direct , connected route, with local ISP gateway IP (resolving route) has to have a SCOPE that is equal to or less than the TARGET SCOPE of the recursive route. In other words, the scope of the route must be equal or less than the target scope of the next farthest route.
To keep it simple, an easy approach is to provide the same scope for all routes, and it has to be equal to or less than the closest recursive route.
Thus if we know we are starting TS with 12 and there is one recursive route, we can set all scopes to 11.
Since in the past I used to use two recursive routes, is kinda where I ended up with 10 as my defacto scope setting 12,11,10 for TS and thus 10 for all scopes.
As far as heads up...........
My primary IP is dynamic and when the IP changes I get an email............ and a telegram............
:if ($bound=1) do={
:local gw $"gateway-address"
/ip route set [ find comment="PrimaryRecursive" gateway!=$gw ] gateway=$gw
/tool e-mail send to="emailaddress@gmail.ca" subject=([/system identity
get name]) body=" This is your new gateway IP: $gw";
:local sub3 ([/system clock get time])
/tool fetch "https://api.telegram.org/text=At+$sub3+ ... nged+WANIP"
:log info "Telegram notification sent PrimaryWAN IP Changed"
}
TWO RULES OF THUMB (scope & target scope):
First Rule. The resolving route (DIRECT - connected route) with dst-address TO the "real WWW IP (dns site)" and with local ISP gateway IP, has Target-Scope=X and the recursive route (INDIRECT - external route) with gateway IP VIA the "real work WWW gateway IP (dns site)" has Target-Scope=X+1. In other words, the farther one gets from the router, the TS increases by one.
Second Rule. Between the same two routes being compared, the Direct , connected route, with local ISP gateway IP (resolving route) has to have a SCOPE that is equal to or less than the TARGET SCOPE of the recursive route. In other words, the scope of the route must be equal or less than the target scope of the next farthest route.
To keep it simple, an easy approach is to provide the same scope for all routes, and it has to be equal to or less than the closest recursive route.
Thus if we know we are starting TS with 12 and there is one recursive route, we can set all scopes to 11.
Since in the past I used to use two recursive routes, is kinda where I ended up with 10 as my defacto scope setting 12,11,10 for TS and thus 10 for all scopes.
As far as heads up...........
My primary IP is dynamic and when the IP changes I get an email............ and a telegram............
:if ($bound=1) do={
:local gw $"gateway-address"
/ip route set [ find comment="PrimaryRecursive" gateway!=$gw ] gateway=$gw
/tool e-mail send to="emailaddress@gmail.ca" subject=([/system identity
get name]) body=" This is your new gateway IP: $gw";
:local sub3 ([/system clock get time])
/tool fetch "https://api.telegram.org/text=At+$sub3+ ... nged+WANIP"
:log info "Telegram notification sent PrimaryWAN IP Changed"
}
Re: Primary gateway with static ip address not activating
Yep , since what probably 99% of people need is one recursive route (or maybe two), one can simply bypass the extensive, but complex, explanation on how it works and why it works and just remember three steps with 10, 11 and 12 and implement them as an act of faith:
I.e., easily condensed in a 12 points
numbered list: 
:
1. Imagine here a complex explanation of how recursive works, then ignore it.
2. Imagine here a complex explanation of how recursive works, then ignore it.
3. Imagine here a complex explanation of how recursive works, then ignore it.
4. Imagine here a complex explanation of how recursive works, then ignore it.
5. Imagine here a complex explanation of how recursive works, then ignore it.
6. Imagine here a complex explanation of how recursive works, then ignore it.
7. Imagine here a complex explanation of how recursive works, then ignore it.
8. Imagine here a complex explanation of how recursive works, then ignore it.
9. Imagine here a complex explanation of how recursive works, then ignore it.
10. Both routes must have scope=10
11. The "narrow" (/32) route to the canary must have target-scope=11
12. The "wide" (0.0.0.0/0) route must have target scope=12
Easy to remember and good enough for the 99%, the 1 % can take their time reading (and hopefully understanding) the extensive and complex explanations by anav, Chupaka or CGGXANNX, before implementing steps 10-12
.
, since what probably 99% of people need is one recursive route (or maybe two), one can simply bypass the extensive, but complex, explanation on how it works and why it works and just remember three steps with 10, 11 and 12 and implement them as an act of faith:I.e., easily condensed in a 12 points
numbered list: :1. Imagine here a complex explanation of how recursive works, then ignore it.
2. Imagine here a complex explanation of how recursive works, then ignore it.
3. Imagine here a complex explanation of how recursive works, then ignore it.
4. Imagine here a complex explanation of how recursive works, then ignore it.
5. Imagine here a complex explanation of how recursive works, then ignore it.
6. Imagine here a complex explanation of how recursive works, then ignore it.
7. Imagine here a complex explanation of how recursive works, then ignore it.
8. Imagine here a complex explanation of how recursive works, then ignore it.
9. Imagine here a complex explanation of how recursive works, then ignore it.
10. Both routes must have scope=10
11. The "narrow" (/32) route to the canary must have target-scope=11
12. The "wide" (0.0.0.0/0) route must have target scope=12
Easy to remember and good enough for the 99%, the 1 % can take their time reading (and hopefully understanding) the extensive and complex explanations by anav, Chupaka or CGGXANNX, before implementing steps 10-12
.Re: Primary gateway with static ip address not activating
If you think the two rules are complex, I imagine you don't do the cooking at home ;-PP
I dont disagree with the simple approach, but nothing wrong with knowing how one gets there and thus able to adjust if required.
I dont disagree with the simple approach, but nothing wrong with knowing how one gets there and thus able to adjust if required.
Re: Primary gateway with static ip address not activating
Yep, but the idea is just something more like a mnemonic:
Minus times minus is plus The reason for this we need not discuss
Minus times minus is plus The reason for this we need not discuss